Is the era of passwords coming to an end?

[cheeztoshobo]

Summary

Google recently announced a passwordless sign-in called 'passkeys'. It seems that the use of passkeys will become more widespread in the future. 

 

Quotes

Quote

 Almost five months after Google added support for passkeys to its Chrome browser, the tech giant has begun rolling out the passwordless solution across Google Accounts on all platforms.

 

My thoughts

Google recently announced a new initiative for passwordless sign-in.

It appears that the use of passkeys will become more widespread in the future. 
Will this lead to the complete disappearance of passwords? 
And will passkeys or other similar security login methods be more convenient than passwords?

Sources

https://thehackernews.com/2023/05/google-introduces-passwordless-secure.html

[FrowningHippo]

I doubt it will go that fast. Microsoft has been pushing passwordless logins for well over two years now. Haven't seen a major uptick in people using it. 

 

It's probably going to need Apple to innovate it to catch on.

[porina]

Is this much different that the various log in with existing Google/Facebook/Twitter/Apple/etc. account things? You still need the account, and that account would likely have a password as part of it.

[Arika]

If i could just sign in to everything using my fingerprint and 2fa code, then i would....but it would mean i would have to get a fingerprint reader for my desktop.

 

And no, i haven't thought about this beyond the huge convenience of not needing to use a password manager, so if it turns out to be much less secure than the current password system, then fuck that.

[Obioban]

4 hours ago, FrowningHippo said:

I doubt it will go that fast. Microsoft has been pushing passwordless logins for well over two years now. Haven't seen a major uptick in people using it. 

 

It's probably going to need Apple to innovate it to catch on.

Apple is already onboard.

 

https://developer.apple.com/passkeys/

[Quackers101]

11 hours ago, FrowningHippo said:

I doubt it will go that fast. Microsoft has been pushing passwordless logins for well over two years now. Haven't seen a major uptick in people using it.

like with these big brands and the power they hold, they can force you into it, if you like it or not. Even if they dont get a lot of users as with the edge browser.
 

also would like more added to what they are adding to the topic.

[jagdtigger]

Biometrics that consumers can afford are just as bad or even worse than passwords...

[Stahlmann]

2 hours ago, jagdtigger said:

Biometrics that consumers can afford are just as bad or even worse than passwords...

Not to mention they don't work reliably.

[Thaldor]

Sounds like another bank vault door is being installed to a shed to secure couple lawnmowers from 1930's.

[Kisai]

On 5/11/2023 at 1:44 AM, FrowningHippo said:

I doubt it will go that fast. Microsoft has been pushing passwordless logins for well over two years now. Haven't seen a major uptick in people using it. 

 

It's probably going to need Apple to innovate it to catch on.

 

But Apple already does it... on the iphone and ipad. It's the Mac that hasn't. 

 

Which it needs to be pointed out, the reason why passwordless logins hasn't caught on is because computer screens do not contain cameras or fingerprint senors. Keyboards do not contain finger print sensors, and computer mice do not contain them either.

 

A phone or tablet is THE device that this works on. A computer does not without an accessory device, and because usb devices can be removed or replaced, it's entirely possible to marry your passwordless biometric to some cheap accessory that dies after a few years. Along with every key held by it.

 

It has to be said that the password should not go anywhere, but instead should be dialed back to "thing you know" part of 2FA instead of this incredibly difficult "one capital, one lower case, one number, one symbol and some cursed rune" password setup that sites ask for and have no business asking for a complex password for. If I am not buying something from the site, I don't need a password longer than 8 characters made of all lower case letters.

 

So until such time there is a standard way to basically mount+plugin your iphone/android phone to your PC monitor to use as the facial biometric that also doubles as an auto-login system, I don't really see this working out.

 

You might also go "well what about laptops?" , Please... point me to at least two budget laptops that came with a stereo IR camera. If you find one at all, it'll be on a high end one, and even most of those are still using crappy 720p usb 2.0 cameras internally.

 

[jagdtigger]

6 hours ago, Kisai said:

this incredibly difficult "one capital, one lower case, one number, one symbol and some cursed rune" password setup that sites ask for and have no business asking for a complex password for.

You are the text book example of the "low hanging fruit" hackers are looking for.....

[StDragon]

13 hours ago, Kisai said:

So until such time there is a standard way to basically mount+plugin your iphone/android phone to your PC monitor to use as the facial biometric that also doubles as an auto-login system, I don't really see this working out.

FIDO2 NFC keys are the way to go. Unfortunately they're not cheap at $50 each. You can find them for half the price, but some of the vendors don't seem to have a long track record, and the physical build quality doesn't seem very robust to me.

Oh, and you'll want to purchase at least 2 of them (the other a backup in case you lose the first), so that's $100 realistically.
 

[ebprince the computer nerd]

passwords have a few more years here, i feel like consumers hate passwords and love biometrics, but for government purposes passwords will stay since touch biometrics can be hacked easily with a fingerprint scan

 

yeah i know face biometrics exist but i dont think those are used that often in government documents

Spoiler

how cool would the sci-fi scanners be if they exist like the ones that shoot out lasers and scan the face (they may already exist)

 

[AI_Must_Di3]

Nope. The only way to get some security is multi-disciplined authorization, where you combine different tech in a layering effect. The problem now is most people use one small password, over multiple accounts and thats it, they dont use the 2fa even. Bigger problem number two is people using smartphones with confidential info, accounts etc... Your phone is for phone,text general surfing with no logging in. If you use it that way with a fake account attached you wont lose anything of value. Either get savvy or get pwned, take your pick.

[Winterlight]

Fingerprint maybe is safe but use face is really stupid and unsafe that should be avoid.

Btw LTT is been good example that 2FA is doesn't matter if attacker can bypass it with stolen cookies. They should first fix that big hole that allow bypass 2FA.

[jagdtigger]

24 minutes ago, Winterlight said:

Fingerprint maybe is safe

You leave it basically everywhere making it pretty much useless. Not to mention that someone could knock you out.....

 

 

Now that im thinking about it this reeks of police pushing something insecure so they can skip proper detective work...

[Quackers101]

4 hours ago, ebprince the computer nerd said:

passwords have a few more years here, i feel like consumers hate passwords and love biometrics, but for government purposes passwords will stay since touch biometrics can be hacked easily with a fingerprint scan

but camera surveillance and wake on approach, trust the system!
https://www.youtube.com/watch?v=3WFx-8agAq4

 

[Orfhieus]

I activated Passkeys on my account here's to hoping it doesn't cause complications

[Kisai]

23 hours ago, jagdtigger said:

You are the text book example of the "low hanging fruit" hackers are looking for.....

Please tell me why I have to login to the bloody nvidia, intel, razor, or asus apps to download an update to these things. these things can be buzzoff1235 and nobody gains anything by hacking into it. Oh yay you discovered I, j-random-internet user own a hardware toy, lucky you. So do a million other people. Good luck with doing anything with that.

 

[StDragon]

The issue is that most people re-use their passwords. So if a hacker is able to expose the password at one site, it takes little effort to know what email address is associated with those credentials and then move laterally across the internet attempting to access other common sites with the same email / pass combo. 

 

Which by the way is why people should be using a PW manager such as Bitwarden, Dashlane, etc, and protect that service using FIDO2 keys an alternate backup in case you lose or change your phone with the OTP app it's registered with.

[kpluck]

On 5/12/2023 at 4:45 AM, Kisai said:

Keyboards do not contain finger print sensors…

FWIW, Apple does sell a wireless keyboard with their touch ID built-in. It is also included with all but the lowest end iMac systems.

 

-kp

[Kisai]

On 5/13/2023 at 12:53 PM, StDragon said:

The issue is that most people re-use their passwords. So if a hacker is able to expose the password at one site, it takes little effort to know what email address is associated with those credentials and then move laterally across the internet attempting to access other common sites with the same email / pass combo. 

 

And again, people reuse passwords because they can not be bothered to create 300 different password combinations for all the damn sites that want you to create a damn account just to see free content or use their hardware. 

 

People whine-complain about Microsoft accounts, if you can not convince people that the microsoft account is a good thing for this very reason, you're not going to convince people to use a anything complicated for what are essentially accounts created because websites/apps/software/hardware refuses to operate normally without a cloud account.

 

On 5/13/2023 at 12:53 PM, StDragon said:

Which by the way is why people should be using a PW manager such as Bitwarden, Dashlane, etc, and protect that service using FIDO2 keys an alternate backup in case you lose or change your phone with the OTP app it's registered with.

Good, you tell Grandma that, and when she goes "speak english" you explain how she's too stupid for internet.

 

The amount of people that are competent at internet is very close to ZERO. Adding all this stuff on top drives it closer to zero than 100%.

 

Apple figured out an easy way to do it, everyone else jump on board. People who are actually doing IT security stuff can deal with all the obtuse password managers. 

 

Grandma just wants to login to her bank account, she doesn't want to learn how to login to her damn smartTV.

 

 

And before anyone mentions "password manager" again. It has been very basic security advice since the 90's NOT TO SAVE PASSWORDS. That is why you get your account breeches. Because you saved your account username and password in the web browser, thus enabling the session-jacking and credential leaking that's been a problem forever. People do not know the difference between saving passwords in Chrome and an actual password manager.

[Franck]

On 5/13/2023 at 2:12 AM, AI_Must_Di3 said:

Your phone is for phone,text general surfing with no logging in.

You need to know that more and more people nowadays dont even own a computer and only have their phones

[Necro compute]

On 5/11/2023 at 4:12 AM, cheeztoshobo said:

Summary

Google recently announced a passwordless sign-in called 'passkeys'. It seems that the use of passkeys will become more widespread in the future. 

 

Quotes

 

My thoughts

Google recently announced a new initiative for passwordless sign-in.

It appears that the use of passkeys will become more widespread in the future. 
Will this lead to the complete disappearance of passwords? 
And will passkeys or other similar security login methods be more convenient than passwords?

Sources

https://thehackernews.com/2023/05/google-introduces-passwordless-secure.html

fundamentally it's just another form of password with its own unique vulnerabilities. TBH they are worse options than standard passwords imho. You leave your fingerprint on every smooth surface you touch, any camera you pass by has your face, not to mention you'll likely be using the same finger for everything and you definitely only have one face. As for pins... Well it's a password but far easier to brute force, a 4 number pin would only have 10 000 possible combinations.

[StDragon]

4 hours ago, Kisai said:

Good, you tell Grandma that, and when she goes "speak english" you explain how she's too stupid for internet.

 

The amount of people that are competent at internet is very close to ZERO. Adding all this stuff on top drives it closer to zero than 100%.

The Internet has always been a mental arms-race between criminals (hacking, social engineering, etc) and the solutions needed to protect users. It's only going to get exponentially worse with AI that can crack code, bot generate SPAM, call users phone numbers and engage in voice chat, and with greater compute cycles, brute-force crack PWs.
 

4 hours ago, Kisai said:

Apple figured out an easy way to do it, everyone else jump on board. People who are actually doing IT security stuff can deal with all the obtuse password managers. 

 

iOS as a platform has gotten way too complex compared to when it was released over 15 years go! In fact, there's been recent news about how Gen-Z and Millennials are considering go back to "dumb phones"

 

Do you really think Grandma wants to use an Apple iOS device and all the complexities that go with it? It's a deep and complicated platform, no joke about that.

In fact, I think there will be a tipping point where there will be a renaissance in modern "dumb phones" that run the latest slimmed down Android and iOS platform, and they will sell like hotcakes for their styles, ease of use, and low cost. It's a snowball on top of a mountain, and all it takes is the slightest breeze to push down and start the ball rolling. Think about it, there's the boomers whom have retired and aren't getting any younger. They will spend for a simpler lifestyle that can offer and maintain security.